Michael Palmer, VP and CISO, National Football League

February 13, 2018

From an early age, Michael Palmer’s mother impressed upon him the importance of hard work and a good education if he wanted to have a stable career. Even as a young boy, he worked odd jobs and saved his money to buy his first computer: an Atari 600XL. He bought computing magazines and books and copied the programs from them to type into his Atari to make it do fun things. Eventually Palmer taught himself how to program in languages like Basic and Pascal.

“I was fascinated by my computer,” says Palmer. “I learned how to program it, then started to debug the programs and create variations, and ultimately I wrote my own unique programs. However, I didn’t see any way that I could make money with computers. I didn’t think it would be a stable career field. When it came time for college, I chose to study accounting, thinking I would become a CPA.”

Palmer enrolled at Baruch College – The City University of New York to get his business degree. At the same time, he worked a retail job at Alexander’s department store to pay for his education. “I worked full time and went to school full time. I took off from work on Tuesdays and Thursdays and attended my classes on those days. I worked the weekends and all the other weekdays and that’s how I was able to afford to go to school,” he says.

Palmer says he “sort of fell into the computer field” while working at Alexander’s. “While I was a cashier supervisor at Alexander’s, the store went through an upgrade, trading in our manual cash registers for an IBM computerized system. I adapted to the new registers quickly and became the in-house expert,” he says. “I didn’t know it at the time, but this was my first exposure to a corporate network. The cash registers were connected to an IBM token ring network. Any time there was a problem, like a cable coming disconnected, I was called upon to fix it. Soon other stores learned of my skills and called me directly when they needed help, bypassing the company help desk.”

Frequent problems with the new register system led Palmer to do his first vulnerability assessment—though he didn’t know there was a formal name for what he was doing. He was simply trying to figure out what happened when a register cable was kicked out of place. Due to the nature of the token ring network, when one register went down, none of the registers could communicate with the central computer. Therefore, the cashiers could enter manager price overrides without a manager’s code, which provided an opportunity for fraud. When Palmer discovered and reported this vulnerability, he realized there was indeed a career path for him in computers, and he promptly switched his college major to Computer Information Systems. He graduated with a Bachelor of Business Administration and Computer Information Systems from Baruch College.

After college, Palmer’s path took him through several companies – Madison Square Garden, Group Health Incorporated, Ascom Timeplex and Dreyfus – that made him an expert in networking technologies. Managing networks was a difficult job, given that application owners and developers like to point their fingers at the network when applications don’t work. “I had a saying that the network was guilty until proven innocent,” says Palmer. “My job was to show them what was wrong with their applications and demonstrate that the network was fine.”

Then he found his calling at the National Football League. “I was hired at the NFL to run the data network and security solutions,” says Palmer. “What made me stand out was my ability to do hexadecimal math in my head. At the time, the NFL operated a Layer 2 network between the clubs. Only specific computers could access the league systems. It required managing MAC access control lists on a variety of bridges and routers, and I was good at this.”

The NFL’s first CISO

Palmer justified the business case for creating the league’s Information Security Office by demonstrating how information security was critical to the business and aligned with the league’s Mission and Values. He became the league’s first CISO—a position he has held for more than five years, giving him more than 20 years total with the league. It’s a challenging position, given the stakeholders: 32 individual clubs, plus many of the teams’ stadiums are owned by local government entities. Add on to this a television network, a consumer products licensing business, sponsors and vendors that are part of one of the world’s most iconic brands.

“There are two things that help make me successful in my job,” says Palmer. “One is the customer relationship management skills I developed by working at the department store all those years ago. I learned that the customer is always right, but it’s up to me to make them see my point of view. The second thing is an ability to solve problems. I can break a problem down to its core components, figure out the cause and come up with a solution.”

Palmer says a CISO needs several skills: be a good storyteller, know how to build relationships, and learn to lead by influence. “I need to wield influence in my job to get things done,” he says. “Being a good storyteller is very important. I have to take a situation and change the wording to give it meaning to different audiences. I talk differently to a senior level executive than I do to a network technician, even though I’m talking about the same risk. For example, if we’re talking about a flaw in wireless technology, I might talk to the technician about encryption protocols and key management techniques I would like him to implement. When I’m talking to senior management, I am discussing technology that has flaws. We need funding to upgrade the technology to avoid a data breach or an integrity issue that may occur over the wireless network. If we don’t correct it, the medical professionals on the field may have challenges accessing player health information to treat injuries. This would impact the league’s business initiative of protecting the health and safety of our players.”

Palmer is quite adept at using his influencing skills. “When you have a mission with a large, complex organizational structure composed of people that you may not have authority over, leading by influence is very important,” he says. “It really comes down to relationship management. You have to basically be able to find the common ground. You have to find out what’s in it for them, right? And everyone wants to be safe, everyone wants to be secure. So, it’s about leveraging what they want and then correlating it to what you’re trying to drive and coming up with common ground to make it a win for them, or better yet, a win for both parties.”

He says a key attribute of an effective CISO is to be a good listener. “Quite often, you have to listen before speaking. By listening, you’re able to understand different points of view and then help people manage those different views to achieve a common goal,” says Palmer. “From the league’s perspective, my area – the Information Security Office – is responsible for governance from an information security perspective. Due to the size of the NFL, this is not a mission that can be accomplished by us alone. Cybersecurity is a team sport. Just as our adversaries are highly organized, we must have a plan. Our playbook incorporates information security sharing across a wide scope of public and private sector partners that all have a vested interest in protecting the safety of our fans. Take, for example, Super Bowl. Not only do we share Indicators of Compromise (IOC), we also share tactics, procedures and lessons learned with other sports leagues, media companies, utility companies, Internet service providers, hotels, convention centers, and of course federal, state and local law enforcement agencies. We bring the stakeholders into massive tabletop exercise to discuss cyber operations for the event.”

“I’m a firm believer that a lot of your core principles and values are established when you’re young,” says Palmer. He credits his mother’s influence, plus his early jobs, as helping to build the values that have served him so well. “My relationship management abilities, which are very important to the role of a CISO, came from the fact that I worked in a department store where the customers are always right. With the job that I had in the store, I had to deal a lot with customers. That helped me with understanding how to deal with people, especially when they were very angry, and how to turn the situation around to my advantage to get the outcome that I wanted to get versus the outcome that they wanted to get. A lot of times it was give and take but by learning how to do that at a very early age, it became more natural to me when I became a corporate business leader.”

Palmer has been successful in his two decades with the NFL, but he considers his most important job to be that of a good husband and father. Married for 22 years, he and his wife have two children. His daughter is studying Mechanical Engineering at Massachusetts Institute of Technology and his son is studying Computer Science at Rochester Institute of Technology.

In addition to shepherding his children into good educations that should lead to successful careers, Palmer believes in giving back to his community. “I’m passionate about diversity in the technology space,” he says. “We as leaders have a responsibility to attract more women and minorities into the technology field. Not only do we need to create a pipeline but we also have to mentor and sponsor tomorrow’s leaders.”